Global Canvas Hack Affecting Local High Schools, Colleges

BELLINGHAM, Wash. — Area schools are warning students not to log in to Canvas, the learning management system used by schools and colleges across Washington, even as the company behind the platform says it is fully back online and safe to use.

“Do not log in to Canvas until further notice,” Whatcom Community College warned students Friday. “Canvas is down and we do not know when it will be back up. Please check your email for additional important information.”

That disconnect, between the company’s assurances and local school advisories, reflects ongoing uncertainty following a major global cybersecurity breach.

What Happened

On April 29, Instructure detected unauthorized activity on its platform and immediately revoked the attacker’s access.

Then, on May 7, investigators found additional unauthorized activity tied to the same incident. At that point, Instructure temporarily took Canvas offline to contain the breach and apply additional safeguards.

Instructure says the attacker exploited a vulnerability in Canvas Free-For-Teacher accounts. As a result, the company shut those accounts down entirely.

The hacking group ShinyHunters claimed responsibility. Moreover, reports indicate the group accessed data from thousands of schools and universities worldwide. Some institutions reportedly saw Canvas login pages replaced with ransom demands threatening to leak stolen data if payment did not arrive by May 12.

Local Impact

The Ferndale School District confirmed its systems were affected. “Our technology department is aware that the Ferndale School District was impacted in a recent incident involving Canvas,” the district wrote to families Friday morning.

Furthermore, the district said Instructure indicated passwords were not compromised and does not currently require password resets. However, it urged students and staff to watch for phishing emails.

Whatcom Community College confirmed the breach affects all Washington community and technical colleges, as well as the Washington State Board for Community and Technical Colleges.

Meanwhile, Western Washington University notified students and staff Thursday evening. CIO Chuck Lanham confirmed the third-party breach affected WWU, though the university’s own internal systems were not directly hacked.

Canvas is down and we do not know when it will be back up.

— Whatcom Community College, Friday May 9

What Data May Have Been Exposed

Instructure says the April 29 breach exposed certain personal information at affected institutions.

Specifically, that data includes names, email addresses, student ID numbers and messages among Canvas users.

Importantly, the company found no evidence that passwords, dates of birth, government identifiers or financial information were taken.

Regarding the May 7 activity, Instructure says it has not yet found evidence that additional data was taken. Nevertheless, the investigation is ongoing.

What Instructure Has Done

In response, Instructure revoked privileged credentials and access tokens, deployed platform-wide protections and rotated internal keys.

Additionally, the company restricted token creation pathways, added monitoring across its platforms, engaged a third-party forensic firm and notified law enforcement.

Instructure also notes that only Canvas was affected. Parchment, Mastery, Canvas Catalog and other products were not impacted.

“Canvas is fully back online and available for use,” the company stated Friday. “Our external forensic partner has reviewed the known indicators and found no evidence that the threat actor currently has access to the platform.”

Broader Scope and What Comes Next

The breach triggered outages at schools across the United States, Australia and Europe.

As a result, the timing created major disruption for institutions entering final exam periods and the final weeks of the academic year.

As of Friday afternoon, multiple Washington schools still advised students not to access Canvas. State and institutional technology teams continue working with Instructure to verify the platform’s safety before clearing students to return.

Frequently Asked Questions